[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling

>>> On 28.10.13 at 09:31, "Liu, Jinsong" <jinsong.liu@xxxxxxxxx> wrote:
> Jan Beulich wrote:
>> While mentally going through this logic again I noticed, however,
>> that the cache flushing your patch is doing is still insufficient:
>> Doing this just when CD gets set and in the context switch path is not
>> enough. This needs to be done prior to each VM entry, unless it
>> can be proven that the hypervisor (or the service domain) didn't
>> touch guest memory.
> I think it's safe: it only need guarantee no vcpu guest context involved 
> into the small window between cache flushing and TLB invalidation -- after 
> that 
> it doesn't care whether hypervisor touch guest memory or not, since cache is 
> clear and old memory type in TLB is invalidated (and is UC afterwards), so no 
> cache line will be polluted by guest context any more.

No - consider a VM exit while in this mode where, in order to process
it, the hypervisor or service domain touch guest memory. Such
touching will happen with caches being used, and hence unwritten
data may be left in the caches when exiting back to the guest when
there's no wbinvd on the VM entry path. I don't think anything is
being said explicitly anywhere on whether cache contents are being
taken into consideration when CD=0 but PAT enforces UC.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.